 From the CUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Hi, and welcome to another CUBE Conversation. I'm Stu Miniman coming to you from our Boston Area office. We've been in the cloud native ecosystem for many years. We know many open source projects, really helping to drive innovation, help companies modernize what they're doing. And one of the companies that leads one of those initiatives, happy to welcome to the program, we're gonna be talking to the co-founder and CTO of Styro, that is Tim Hinrichs, first time on the CUBE, of course the company behind OPA Tim. Thank you for joining us, welcome to the program. Hi, Stu, thanks for having me. All right, so we've had the CEO of Styro Bill Mann on the program before, he's a many time CUBE alum. It's your first time, and I always love when I get the founder on the program. Of course, the question is, give us the why, Tim? There is no shortage of tools out there in the industry, but as we've seen in the ecosystem, there's always companies, I wish something had happened, I wish we had something there. Often they build it from themselves and then create a project. So bring us back a little bit to that origin story and what you and the team, what was the inspiration? Yeah, so the first thing to know is that really at Styro, what we're focused on is helping enterprises that are embracing cloud native technology sort of enforce and control the authorization policies across all their different cloud native software. So I remember authorization is that problem of which people and which machines can perform which actions on software. And so the way this all got started was we were at VMware before we founded Styro and we were talking to a number of customers from finance and tech. And what they did is they had built one of these things. They had built a unified solution of policy to manage their authorization needs across many different pieces of software. And so at that point, we knew that the problem was very real because people had to solve it themselves. And so when we... I'm sorry, Tim, just one thing to make sure I understand this. So in the policy management you talk about there, help me understand how that fits into say identity management, which is one of the top things we think about when I'm managing my IT, when I go to the cloud, it seems related but different, yes? Absolutely, yeah. So identity management is really this problem of who are you? It's often solved from a user's point of view by providing a username and a password or a thumbprint or a multi-factor authentication. That's an important problem that needs to be solved. That's authentication or identity and it's really about proving who you are. But authorization is the next step. It's about actions. Can you perform once you've convinced the machine who you are? And so really that's the piece that we focused on. All right, yeah, right. Once we get people in, we need to... It's usually you wanna give them the least amount of access possible. We understand that from a security standpoint. We need to do this. So you've said what the kind of problem was and that this is there. So open source, I mean, we know often it's... There's many reasons why projects end up open source. So give us the journey here. Yeah, so at Styro, we've really got two pieces of software. So one of which, as you say, is completely open source. It's become the open policy agent project. We decided to open source it and then eventually donate it to the CNCF because it's sort of mission in life is to make authorization decisions, make decisions about if an action that a user or a machine is trying to take a safe or not. And that project is really designed to be a decision maker across all the different kinds of software in the cloud-native ecosystem. And so naturally, there's a need for a lot of expertise about a whole bunch of different areas, about a whole bunch of different pieces of software. And the best way to sort of leverage all of the world's knowledge about all those different pieces of software is to put that project out into the open. And so for us, it was just an easy, very easy thing to do. Every single line of code that goes into OPA has been done in the open. Well, absolutely, it's a project. I know I've seen the stickers, I've seen people talking about it and the breakouts at the QConCloud native con shows, let's not leave everybody waiting for the news though, Tim. It had been an incubating project. I believe you've got some news for us. Yep, absolutely. So OPA has now officially graduated. It's now moved from incubation into the graduation portion of the CNCF. And for us, it's really exciting because it really is a reflection of the maturity of the project, right? There's so many people using OPA and using it to solve all kinds of different use cases or even seeing vendors pick it up and offer native integrations with their homegrown software. So it's really exciting to see the progress that the project has made. Just for our audience that might not be familiar, what does this mean now that it's graduated as a maturity level? Is it production ready? What are those criteria that allowed it to go from that incubating stage to the graduation? Yeah, so there are a bunch of criteria, but I think the biggest one really is really users in production, right? It has been proven at scale for many different users all over the world, right? CNCF just did a survey recently, there are a couple of hundred different organizations all across the world who were using OPA in some way, shape or form. We see it all the time in KubeCon and CloudNativeCon talks. You can hear all about all the folks who are using it. Yeah, so maybe it would help it if you've got a customer example or a use case that you can walk us through as to how exactly that fits. For sure, yeah. So the nice thing about OPA and more generally, Styra, is that you can apply it to all different kinds of use cases. So there are a couple of very popular ones using it for Kubernetes admission control or microservice authorization. Those are the two most popular right now and they both work roughly the same way, but I'll give you a concrete example. For Kubernetes, anytime some end users trying to spin up a new resource, whether it's a pod or an ingress or anything on the Kube cluster, you can integrate OPA with that Kube API server and allow OPA to make a decision. Is this new resource safe to deploy on the cluster or is it not? Microservice authorization works almost exactly the same way. Every time one of those microservices receives an API call, it can ask OPA, is this API call safe for me to execute or not? And so both of those are gonna work in basically the same way and that's true for all the other applications and use cases for OPA. Okay, and give us some of the stats if you would. How many companies and people contributed to it? What's the customer base look like? Yeah, so I think there are a bunch of interesting metrics. I think that one that's most interesting to me is the number of downloads a week. Right now we're at roughly a million downloads a week, which is super exciting. I remember those days when we hit that one million mark total then we were very excited. And so now we're at a point where it's every week where we're hitting a million downloads. All kinds of contributors as well. And I think another good metric there to think about are talks. I think we had nearly 50 talks, organic talks from end users on OPA that we ran across last year. Well, it's wonderful. The thing we love in that ecosystem there is it's not just using it, contributing to the code, sharing with the community. Tim, what are the challenges in this ecosystem? If you go to the CNTF website and you look at the landscape, it's a little bit scary and taunting just because there's so many different pieces. What I want to understand from OPA is, are there any dependencies there when you think about the other services that it interacts with or does it just kind of do its own thing and enables customers? Yeah, so OPA was designed to be a standalone project. It doesn't depend on really any other CNTF or really any other project. It was designed to make these policy or these authorization decisions. But at the same time, it was also designed to make it very easy to integrate with a wide range of software systems. And so I think on the OPA website, we've got over 25 different integrations that we or the community have built around OPA to go ahead and deliver on that vision of unified authorization. You mentioned that Styra has kind of two pieces. Help us understand what does graduating mean for customers in general and for Styra. Help us understand a little bit more the business that goes along with it. Yeah, so like I said, that first piece that we built, that first piece of software we built was the Open Policy Agent Project Open Source. The second piece of software that we built is a control plane for OPA. The idea architecturally behind OPA is that you don't have one copy of OPA running, typically you might have 10 or 100 or 1,000 copies of OPA running, and you do that for availability and performance, say for decision making. And so Styra's second piece of software is what we call the declarative authorization service. It is a control plane, a management plane, a single pane of glass that allows you to operationalize OPA at scale for the enterprise. So it really is designed to give you that ability to control and manage, distribute policy, write policy, log all the policy decisions for all those OPAs. And so that's really where we're, that's the second piece of software that we're putting a lot of effort and energy into. All right, now that the graduation is there, what does this mean? Give us a little bit of the roadmap, you're the CTO. We know there's always, you know, feedbacks and other updates coming. So what should we be expecting to be seeing going forward? Yeah, so there are a couple of things I'll mention here. One of which is that with OPA we did a survey recently just trying to get a sense as to what the community needs and how they're using OPA. And so one of the things we found was that the fastest growing use case for OPA, it looks to be application authorization, right? So if you're building a custom application, maybe it's a banking application, that application needs to decide, every time a user performs an action, is this authorized or not? So if I'm trying to withdraw money from an account, is it safe or not? And so that's the fastest growing use case for OPA that we saw on that. And so what I expect to see is more and more people talking about using OPA for that application level authorization. On the styrocyte, I think what we're looking forward to is just continuing to chat with the community and understand what they need around operationalizing OPA and making that control plane, that management plane, do all the things that enterprises need to operationalize OPA at scale. Tim, you've reached the graduation, which is a phenomenal milestone in the project there. There's so many other projects out there. I wonder what advice you would give to other people, starting a business, starting a project, engaging with the open source community. But what have you learned along the way? Any lessons learned and what feedback would you give others? Absolutely, yeah. So if I'm talking to somebody else who's interested in starting an open source project, I'll give them a little bit of advice. So the first of which is that, certainly the code matters a lot. Code's got to be technically sound. It's got to be solving real problems. Everybody understands that. I think what a lot of people understand less of is that when you start a project, you need to put a lot of energy into growing that community, that communication. You need to focus a lot. You need to reach out to end users and actively engage with them, help them, understand what the project's good for, help them be successful with it. And so I think that that piece is what a lot of people don't really understand. And it's something that I think that if more people did, we'd see a lot more successful open source projects. All right, Tim, I'll let you have the final word and any final things you want to get a feedback to the community or potential customers for Styra. Sure, yeah. So first of all, I'd like to say thank you to all of our community members, all the users who've worked with us, all of the vendors who are doing integrations with OPA. And we'd love to see it, we'd love to see more of it. And at the end of the day, I gotta say, I'm super excited to be working both with OPA and in our commercial declared authorization service to really deliver on that vision of unified authorization and deliver that to the world at large. Tim, congratulations to you and the whole OPA team and Styra. Definitely looking forward to seeing you with the next gathering of the community and we'll hear more updates in the future. Thanks so much for having me, Stu, this is great. All right, and be sure to check out thecube.net for all the back catalog of interviews that we've done, including with the CEO of Styra, as well as upcoming events that we will be at, including, of course, QCon Cloud NativeCon North America happening later this year virtually. I'm Stu Miniman, thank you for watching theCUBE.